Re: Jenkins ASF + Pull Requests + webhooks

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins ASF + Pull Requests + webhooks

stephenconnolly
That is not the problem you think it is. Bitcoin mining is the current
issue. And through Jenkinsfile or Process.exec you can bypass JVM
permissions

On Sun 6 Jan 2019 at 16:44, Tibor Digana <[hidden email]> wrote:

> Regarding "pull/1234/head" refs and the security, I think allowing only the
> permission to Maven Central IP address is needed and nowhere else.
> This can be accomplished by the java policy in JRE.
> WDYT?
>
> On Sun, Jan 6, 2019 at 11:09 AM Hervé BOUTEMY <[hidden email]>
> wrote:
>
> > I didn't know about these special "pull/1234/head" refs, that are not
> real
> > branches: if these pseudo-branches were synchronized to Gitbox like any
> > branch, the Gitpubsub mechanism could happen at Apache
> > of course, the security implications of running code from these PR
> > branches
> > would still have to be managed...
> >
> > notice: there is a discussion on this on builds@apache [1]
> >
> > Regards,
> >
> > Hervé
> >
> > [1] https://lists.apache.org/list.html?builds@...
> >
> > Le samedi 5 janvier 2019, 12:34:24 CET Enrico Olivelli a écrit :
> > > Hi Stephen,
> > > I am not a Jenkins expert, but I want to share this idea, maybe it can
> > help.
> > > Can we use GitHub webhooks in order to trigger the creation of a Job
> > inside
> > > Maven-Box ?
> > > This way we don't have to continuously use Github API.
> > > When an user creates/updates a PR we can import the PR and create the
> > > Job, having as repository not gitbox.apache.org but github.com
> > >
> > > In github you have this special refs "pull/1234/head" which points to
> > > the branch on remote fork
> > >
> > > just an idea
> > >
> > > Enrico
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [hidden email]
> > > For additional commands, e-mail: [hidden email]
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
--
Sent from my phone
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins ASF + Pull Requests + webhooks

Tibor Digana
disabled logs, workspace and artifacts for anonymous Jenkins users, but
available for PMC and Maven committers.

On Sun, Jan 6, 2019 at 8:41 PM Mickael Istria <[hidden email]> wrote:

> On Sun, Jan 6, 2019 at 8:32 PM Tibor Digana <[hidden email]>
> wrote:
>
> > I meant Bitcoins. Without network access bitcoins can be loaded but
> nobody
> > can use them. An access to Workspace and archived artifacts should be
> > disabled for users.
>
>
> That would be sad since those are actually super helpful when trying to
> debug issues that are only happening in some environments and CI reproduces
> when they can hardly reproduce them locally.
>